From 0b4957126899975f603038501337421f84bcb3e4 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Fri, 16 Feb 2018 11:04:12 +0100
Subject: Try to improve production guide

---
 support/nginx/peertube | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

(limited to 'support/nginx/peertube')

diff --git a/support/nginx/peertube b/support/nginx/peertube
index 6a076a8f8..1aa6108cc 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -6,7 +6,10 @@ server {
   access_log /var/log/nginx/peertube.example.com.access.log;
   error_log /var/log/nginx/peertube.example.com.error.log;
 
-  location /.well-known/acme-challenge/ { allow all; }
+  location /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
   location / { return 301 https://$host$request_uri; }
 }
 
@@ -15,12 +18,12 @@ server {
   listen [::]:443 ssl http2;
   server_name peertube.example.com;
 
-  # For example with Let's Encrypt (you need a certificate to run https)
+  # For example with certbot (you need a certificate to run https)
   ssl_certificate      /etc/letsencrypt/live/peertube.example.com/fullchain.pem;
   ssl_certificate_key  /etc/letsencrypt/live/peertube.example.com/privkey.pem;
-  
+
   # Security hardening (as of 11/02/2018)
-  ssl_protocols TLSv1.3, TLSv1.2;# TLSv1.3 requires nginx >= 1.13.0 else use only TLSv1.2
+  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
   ssl_prefer_server_ciphers on;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
@@ -29,8 +32,11 @@ server {
   ssl_session_tickets off; # Requires nginx >= 1.5.9
   ssl_stapling on; # Requires nginx >= 1.3.7
   ssl_stapling_verify on; # Requires nginx => 1.3.7
-  resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
-  resolver_timeout 5s;
+
+  # Configure with your resolvers
+  # resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+  # resolver_timeout 5s;
+
   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
   add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
@@ -63,8 +69,8 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-    # For the video upload
-    client_max_body_size 2G;
+    # Hard limit, PeerTube does not support videos > 4GB
+    client_max_body_size 4G;
     proxy_connect_timeout       600;
     proxy_send_timeout          600;
     proxy_read_timeout          600;
-- 
cgit v1.2.3